The U.S. Federal Communications Commission’s (FCC) Public Safety and Homeland Security Bureau (Bureau) has requested public input on a recent report on Cybersecurity Risk Management and Best Practices (Report) by the Communications Security, Reliability and Interoperability Council (CSRIC) for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Comments are due May 29, with replies due June 26. Continue Reading
On 29 March, the Hong Kong Privacy Commissioner for Personal Data (the “Commissioner”) published a guidance note that supplements previous guidance on the use of closed circuit television systems and for the first time addresses the increasing use of unmanned aircraft systems (UAS, or, more popularly, drones). The Commissioner’s guidance is the first significant regulatory engagement on the use of UAS by a Hong Kong regulator. Continue Reading
Thank you to everyone who participated in the Hogan Lovells webinar “Russia Data Localization Update: New Details Emerge from Meetings with Russian Regulator” on 2 April 2015. This update follows an October 2014 presentation that outlined Russia’s newly enacted Data Localization Law. In this webinar, Hogan Lovells privacy and data protection attorneys Natalia Gulyaeva and Bret Cohen provided insight into the expectations of Russian regulators as the September 2015 implementation deadline approaches.
To access the a copy of the slide deck, click here.
To access the recorded webinar, click here (1 hr 17 mins — the webinar will start to play automatically).
Stay tuned to the blog for future updates on the law, including any future formal guidance from the Russian government.
Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.
Earlier this month, the Canadian Radio-television and Telecommunications Commission’s (“CRTC’s”) Chief Compliance and Enforcement Officer issued a Notice of Violation and $1.1 million penalty to Compu-Finder for four violations of the Canadian Anti-Spam Legislation (“CASL”). Although Compu-Finder was apparently engaged in “flagrant” CASL violations, according to the Chief Compliance and Enforcement Officer, the CRTC also confirmed that it is assessing CASL complaints and that “a number of investigations are currently underway.” Therefore, organizations engaging with individuals located in Canada should review their communications and marketing practices for compliance under CASL and other applicable law. Continue Reading
On 1 April 2015, President Obama signed an Executive Order (the Order) authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. The Treasury Department’s Office of Foreign Assets Control (OFAC) simultaneously released FAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets. Continue Reading
The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on March 31. The post, Data Security and Breach Notification Legislation Gaining Traction in Congress, is reprinted in its entirety below with permission from the IAPP.
For more than a year now, we have been hearing that the spate of highly-publicized data breaches could lead to federal data security and data breach legislation. On March 25, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade took action that brings us closer to seeing that prediction become a reality. In this post, we take a closer look at the bipartisan legislation approved by the subcommittee—the Data Security and Breach Notification Act of 2015 (DSBN) — and discuss five key provisions that are likely to be at issue as the legislation moves forward. Continue Reading
Recently, new rules on cookies (all links in Dutch) came into force in the Netherlands. In addition, the Dutch Second Chamber approved a draft bill to introduce a mandatory data breach notification requirement and to strengthen the Dutch Data Protection Authority’s investigative and fining powers. The new rules apply to all companies acting as a “data controller” within the meaning of the Dutch Data Protection Act. The Dutch First Chamber has announced that it plans to review this draft bill as soon as possible. Continue Reading
In its recent Open Internet Order (“Order”), the U.S. Federal Communications Commission (FCC) determined that broadband Internet access services are appropriately classified as common carrier “telecommunications services” under the Telecommunications Act of 1996. In doing so, the agency established itself as the primary U.S. data privacy and security regulator for those services and triggered additional requirements under the Act. It also promised a future rulemaking that could result in a sea change in how ISPs and their business partners interact with consumer data. Although the decision is widely expected to be appealed in court, organizations operating across the broadband ecosystem would be prudent to assess the potential impact on their current and planned online service portfolio. Continue Reading
With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law. Continue Reading